> On 12 Nov 2019, at 15:35, Fred Beckhusen <f...@mitsi.com> wrote: > > --ooo------/\/\/\-----|(------ooo------/\/\/\-----|(------ooo---- > Fred K. Beckhusen > President > Micro Technology Services, Inc. > fre...@mitsi.com > tel: (888) 230-MTSI Toll Free > cel: (469) 951-7635 > http://www.mitsi.com > > I would think a grid could be be very trustworthy with this patch, as the > headers are set in code. No one but the grid operator can change them. I am > assuming the HTTP_CUSTOM_HEADER does not override these settings, or can be > detected. Has this been tested?
While custom headers set by script should already be overridden by generated ones, the problem with trusting these headers is that they can still be very easily spoofed by other means; unless the web-service you are sending the request to maintains a list of valid simulator IP addresses, it has no way of knowing if a request came from a legitimate simulator, or from some other source. For example, common command line tools such as cURL can be used to be build custom http requests, allowing you to set the value of headers to anything you like, because that's just how HTTP works. So if I were a malicious actor and can figure out enough about your API, I can send it any requests I want. This is why I raised the possibility of a callback mechanism a little while ago, as this could at least be used to verify whether an IP address is permitted to send HTTP requests on behalf of a grid: http://opensimulator.org/wiki/User:Haravikk_Mistral/RegionVerification <http://opensimulator.org/wiki/User:Haravikk_Mistral/RegionVerification> Even with that, all this does is confirms that a request came from a (probably) genuine simulator belonging to the grid that the request claimed to come from, i.e- you can be reasonably sure the request is from an actual script on an OpenSimulator grid. If you know that the grid is fully privately operated (i.e- doesn't allow others to setup simulators and properly configures them) then, and only then, can you be confident that the headers weren't spoofed and should be okay to process without additional checks. But that still doesn't do anything to establish the trustworthiness of the specific object sending the request, or the owner of that object, which is why for anything sensitive you still need some kind of authentication like a password, public key or such that only the person you expect could have provided. Of course, if all you're tracking is non-sensitive information (like the example of a lost object tracker) then none of this is all that critical, but for anything else headers are useful information, but they shouldn't be viewed as always reliable or authoritative. _______________________________________________ Opensim-dev mailing list Opensim-dev@opensimulator.org http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
